add check user premission step

zakisk · zakisk · commit d37b5bdc6e5a · 2025-09-02T23:33:23.000+05:30
Signed-off-by: Zaki Shaikh &lt;zashaikh@redhat.com&gt;
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -31,7 +31,7 @@ jobs:
     if: >
       github.event_name == 'schedule' ||
       github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'pull_request_target' && contains(fromJSON('["zakisk", "infernus01", "savitaashture", "chmouel", "vdemeester", "enarha", "aThorp96", "waveywaves", "mathur07", "dependabot[bot]"]'), github.event.pull_request.user.login))
+      github.event_name == 'pull_request_target'
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.provider }}-${{ github.event.pull_request.number || github.ref_name }}
       cancel-in-progress: true
@@ -72,6 +72,41 @@ jobs:
         with:
           ref: ${{ inputs.target_ref || github.event.pull_request.head.sha || github.sha }}
 
+      # Step to check PR author's org membership and repo permissions.
+      # This step will fail the job if checks do not pass, skipping subsequent steps.
+      - name: Check user permissions on PRs
+        if: github.event_name == 'pull_request_target'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const actor = context.payload.pull_request.user.login;
+            const org = context.repo.owner;
+
+            // Allow dependabot and other bots unconditionally.
+            if (actor.endsWith('[bot]')) {
+              core.info(`User @${actor} is a bot, allowing.`);
+              return;
+            }
+
+            try {
+              // Directly check the user's permission level on the repository.
+              // This covers both org members and external collaborators with sufficient access.
+              const response = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: org,
+                repo: context.repo.repo,
+                username: actor,
+              });
+
+              const permission = response.data.permission;
+              if (permission !== 'admin' && permission !== 'write') {
+                core.setFailed(`❌ User @${actor} has only '${permission}' repository permission. 'write' or 'admin' is required.`);
+              } else {
+                core.info(`✅ User @${actor} has '${permission}' repository permission. Proceeding.`);
+              }
+            } catch (error) {
+              core.setFailed(`Permission check failed for @${actor}. They are likely not a collaborator on the repository. Error: ${error.message}`);
+            }
+
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
